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August 25, 2009 



The President 
The White House 
Washington, DC 20500 

Dear Mr. President: 

As directed by your May 27, 2009 Memorandum, we established an Interagency 
Task Force to review current procedures for categorizing and sharing Sensitive but 
Unclassified (“SBU”) information. The Task Force conducted a 90-day review of the 
Controlled Unclassified Information (“CUI”) Framework for terrorism-related 
information within the information sharing environment established by Presidential 
Memorandum in 2008, and considered whether that Framework should be expanded to 
apply to all SBU information under the control of the Executive Branch. Enclosed are 
the Report and Recommendations resulting from this review. 

In addition to analyzing previous studies of SBU and the efforts of the CUI 
Council, the Task Force met with representatives from federal agencies both within and 
outside the information sharing environment; State, local, and tribal partners; privacy and 
open government organizations; and Congress. Informed by these consultations, a 
significant majority of the Task Force concluded that expanding the CUI Framework to 
encompass all SBU information will best strike the appropriate balance among the goals 
of Standardization, Information Sharing, and Government Transparency. 

The recommendation of a vastly expanded scope for CUI necessitates a careful 
and coordinated effort to attain the benefits of standardization without adversely affecting 
agencies’ missions or the security of sensitive information. Accordingly, the report 
recommends a phased approach to implementation of the proposed CUI Framework that 
prioritizes training, marking, and oversight. 

Taken as a whole, the Task Force’s recommendations seek to further information 
sharing among Executive Branch agencies as well as State, local, tribal and foreign 
partners by establishing a standard system for designating, marking, and handling all 
SBU information. The recommendations also enhance government transparency by 
establishing clear rules that protect information only when there is a compelling need to 
do so. 
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We recommend adoption of the Task Force Report and Recommendations, as 
well as the issuance of a new Executive Order rescinding the 2008 Memorandum on CUI 
and clearly setting forth the President’s intention for this complex but important subject. 



Respectfully, 
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Executive Summary 



The President’s Memorandum of May 27, 2009 on Classified Information and Controlled Unclassified 
Information, directed a Task Force, led by the Secretary of Homeland Security and the 
Attorney General, to review the Controlled Unclassified Information (“CUI”) Framework 
established in 2008 for the management of Sensitive but Unclassified 1 (“SBU”) terrorism- 
related information. The Task Force undertook a 90-day study of the CUI Framework, the 
current regimes for managing SBU information in the Executive Branch, and, by extension, 
the sharing of that information with our non-federal information-sharing partners. 

The Task Force concluded that Executive Branch performance suffers immensely from 
interagency inconsistency in SBU policies, frequent uncertainty in interagency settings as 
to exactly what policies apply to given SBU information, and the inconsistent application 
of similar policies across agencies. Additionally, the absence of effective training, 
oversight, and accountability at many agencies results in a tendency to over-protect 
information, greatly diminishing government transparency. 

Although the CUI Framework is intended to improve the sharing of only terrorism-related 
information, the Task Force concluded that a single, standardized framework for marking, 
safeguarding, and disseminating all Executive Branch SBU is required to further the goals 
of: 

• standardizing currently disparate terminology and procedures (represented by over 
107 distinct SBU regimes) ; 

• facilitating information-sharing through the promulgation of common and 
understandable rules for information protection and dissemination; and 

• enhancing government transparency through policies and training that clarify the 
standards for protecting information within the Framework. 

A simple , concise , and standardized CUI Framework, with effective centralized governance 
and oversight has the best chance of both wide acceptance within the federal government 
and broad adoption throughout our State, local, tribal, and private sector partner 
communities. The successful expansion of the scope of the CUI Framework requires 
careful consideration of agency missions, requirements, and the processes by which SBU 
information is currently managed. 



1 Sensitive but Unclassified (SBU) information refers collectively to the various designations used within 
the Executive Branch for documents and information that are sufficiently sensitive to warrant some level of 
protection but that do not meet the standards for classification. CUI Framework refers to the single set of 
policies and procedures established by the Presidential Memorandum of May 7, 2008, governing the 
designation, marking, safeguarding, and dissemination of terrorism-related SBU information, which 
pursuant to that Memorandum, is renamed as “Controlled Unclassified Information.” Expanding the scope 
of the CUI Framework refers to the extension of the CUI Framework governing the designation, marking, 
safeguarding, and dissemination of CUI to all SBU information in possession or control of the Executive 
Branch. 
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Building upon the CUI Framework established in 2008, the Task Force has proposed 40 
Recommendations intended to enhance Standardization, Information Sharing, Government 
Transparency, and the Protection of Information only where there is a compelling 
requirement to do so, including simplifying the definition of CUI; expanding the scope of 
the CUI Framework; clarifying that CUI markings have no bearing on releases either under 
the Freedom of Information Act or to Congress; and phasing implementation of the 
expanded scope of CUI. 



CUI Task Force Recommendations 



Recommendation # 1 
Recommendation #2 
Recommendation #3 

Recommendation #4 

Recommendation #5 
Recommendation #6 
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Recommendation #9 
Recommendation #10 
Recommendation #11 
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Recommendation #17 

Recommendation #18 
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Recommendation #26 
Recommendation #27 
Recommendation #28 
Recommendation #29 
Recommendation #30 
Recommendation #31 

Recommendation #32 
Recommendation #33 
Recommendation #34 
Recommendation #35 

Recommendation #36 
Recommendation #37 
Recommendation #38 
Recommendation #39 
Recommendation #40 



Simplify the Definition of CUI 

Expand the Scope of the CUI Framework 

Make the Expanded CUI Framework the Exclusive Means of 

Protecting SBU 

Adjust the CUI Council Membership and Roles to Reflect the 
Expanded Scope 

Moratorium on New SBU Regimes 

Engagement of Non-ISE Agencies 

Phase Implementation of Scope Expansion 

Designation of CUI 

Identification of CUI 

Agency CUI Programs 

Simplification of Categories and Markings 

Executive Agent to Establish Standard Markings and Guidance 

Flexible Marking of CUI 

Clarify that CUI Has No Bearing on FOIA 

Safeguarding 

Consultation on Threat 

CIO Council as Advisor on Information Standards and 
Safeguards 

Standardize Specified Dissemination 
Dissemination to Congress and the Courts 
Clarify Decontrol 
Establish Life Cycle 
Establish Exception Process 

Delay in Incorporation of Exceptions into the CUI Framework 
Amending Regulations or Statutes 
Establish Training 
Incentives 

Accountability and Sanctions 
Internal Oversight 

Challenges to Designation and Identification 
Federal Acquisition Guidance 

Phase Implementation of Training, Marking, Oversight and 
Reporting 

Phase Implementation of Technical Safeguards 
Marking Initiation 

Ensure Adequate Resourcing of Executive Agent 
Synchronize CUI Implementation with Government Processes 
and Cycles 

Impact of CUI on the Federal Enterprise Architecture 
Incorporate CUI into Federal Grant Guidance 
Annual Report of the Executive Agent 
Establish a Baseline Measurement of Current SBU Efforts 
Measure Implementation 
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Part 1. Overview 



In furtherance of the Administration’s commitment to openness and transparency in 
government, the President’s Memorandum of May 27, 2009, entitled Classified Information and 
Controlled Unclassified Information (the “2009 Memorandum”) directed that the Attorney 
General and the Secretary of Homeland Security lead an Interagency Task Force on 
Controlled Unclassified Information (“CUI”)(the “Task Force”). The mission of the Task 
Force was to review current procedures for categorizing and sharing Sensitive But 
Unclassified (“SBU”) 2 information in order to determine whether such procedures strike 
the proper balance among certain imperatives. These imperatives include protecting 
legitimate security, law enforcement, and privacy interests as well as civil liberties; 
providing clear rules to those who handle SBU information; and ensuring that the handling 
and dissemination of information is not restricted unless there is a compelling need. 

In addition to reviewing current procedures for SBU, the Task Force was charged with 
considering: 

• measures to track agencies’ progress with implementing the “CUI Framework” 3 

• other measures to enhance implementation of an effective information sharing 
environment across agencies and levels of government, 4 and 

• whether the scope of the CUI Framework should remain limited to terrorism- 
related information within the Information Sharing Environment (“ISE”) or be 
expanded to apply to all SBU information. 



2 As reflected in the 2009 Memorandum, SBU refers collectively to the various designations used within 
the Federal Government for documents and information that are sufficiently sensitive to warrant some level 
of protection, but that do not meet the standards for National Security Classification. A process created in 
2005 for establishing a single, standardized, comprehensive categorical designation within the Executive 
Branch for most SBU information culminated with the adoption of the phrase “Controlled Unclassified 
Information” (CUI) in the Presidential Memorandum of May 7, 2008, entitled Designation and Sharing of 
Controlled Unclassified Information (CUI) (the “2008 Memorandum”). CUI was defined in the 2008 
Memorandum as: 

a categorical designation that refers to unclassified information that does not meet the standards 
for National Security Classification under Executive Order 12958, as amended, but is (i) 
pertinent to the national interests of the United States or to the important interests of entities 
outside the Federal Government, and (ii) under law or policy requires protection from 
unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or 
dissemination. 

The 2008 Memorandum directs that CUI be used in place of SBU as the single categorical designation for 
information within the scope of the CUI definition to refer generally to such information. 

3 The “CUI Framework” refers to the single set of policies and procedures governing the designation, 
marking, safeguarding, and dissemination of terrorism-related CUI, as established in the 2008 
Memorandum. 

4 Pursuant to the Memorandum of July 2, 2009, Strengthening Information Sharing and Access, the 
Assistant to the President for Homeland Security and Counterterrorism initiated a comprehensive review of 
the Information Sharing Environment. The Task Force was advised that it need not report on these 
measures. 
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1.1 The CUI Task Force 



1. Membership 

Led by the Secretary of Homeland Security and the Attorney General, and co-chaired by 
their senior representatives, the CUI Task Force was comprised of senior representatives of 
twelve federal agencies. This included representatives of following nine ISE agencies: 

• Department of State (“State”) 

• Office of the Director of National Intelligence (“ODNI”) 

• Office of Management and Budget (“OMB”) 

• Federal Bureau of Investigation (“FBI”) 

• Department of Defense (“DoD”) 

• Department of Health and Human Services (“HHS”) 

• Program Manager, Information Sharing Environment (“PM-ISE”) 

• Department of Homeland Security (“DHS”), and 

• Department of Justice (“DOJ”). 

The Task Force also included the following three non-ISE agencies: 

• Department of Agriculture (“USDA”) 

• Department of the Interior (“DOI”), and 

• National Archives and Records Administration (“NARA”). 

2. Methodology 

The Task Force assessed current procedures for categorizing and sharing SBU, both within 
and outside of the ISE, in light of the imperatives specified in the 2009 Memorandum. 

The Task Force also analyzed the most significant issues thus far encountered by the 
Executive Agent (“EA”) and the CUI Council in developing the CUI Framework while 
recognizing the Task Force goals of standardization, information sharing, and government 
transparency. The Task Force drew upon SBU efforts dating back to 2006, as well as the 
CUI Council’s analysis, findings, draft policy statements, and implementation guidance as 
the foundation for much of its effort. 

The Task Force met with representatives of multiple government entities to assess the 
many issues raised by implementation of the CUI Framework as described in the 2008 
Memorandum, including its impact on agencies outside of the ISE, on the current 
exceptions to the CUI Framework, 5 on the ability of certain specific and discrete 



5 Four regimes for the safeguarding of infrastructure protection information were granted “excepted” status 
under the May 2008 Memorandum, including Protected Critical Infrastructure Information, Sensitive 
Security Information, Chemical Vulnerability Information, and Safeguards Information. Excepted status 
requires that the CUI Framework be used to the maximum extent possible, including the most applicable 
safeguarding marking, and that any additional safeguarding requirements beyond that specified under the 
CUI Framework shall be appropriately registered in the CUI Registry. Regulatory markings are to follow 
CUI markings and a specified dissemination instruction is to articulate any additional regulatory 
requirements. 
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communities of interest to support CUI implementation, and on the interests and concerns 
of Congress. The Task Force also met with representatives of a number of non- 
government entities to assess various aspects of CUI implementation on entities outside of 
the federal government, including private sector owners and operators of critical 
infrastructure, industrial security contractors, open government and privacy advocacy 
organizations, and our State, local, and tribal information sharing partners. (For a 
complete list of entities consulted, see Appendix 1 .) These consultations were 
extraordinarily valuable in understanding the concerns of CUI constituents and were 
critical in developing the Task Force’s recommendations. 
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Part 2. The SBU Challenge 



All federal agencies 6 routinely generate, use, store, and share information that, while not 
appropriate for “classification” under Executive Order 1295 8, 7 as amended, or other 
authority, 8 nevertheless requires some level of protection from unauthorized access and 
release. Protection may be required due to privacy concerns, law enforcement sensitivities, 
the business proprietary nature of the information, or for other reasons. Currently, across 
the Executive Branch, this information is identified by over 100 unique markings and at 
least 130 different labeling or handling regimes, such as “Law Enforcement Sensitive,” 

“For Official Use Only,” “Sensitive Security Information,” and “Limited Official Use.” (A 
partial listing of SBU markings is attached at Appendix 2.) Although SBU regimes or 
markings are typically derived from an identifiable authority, be it a statute, regulation, or 
agency policy, collectively they reflect a disjointed, inconsistent, and unpredictable system 
for protecting, sharing, and disclosing sensitive information. 

2.1 Assessment of Current SBU Procedures 



The Task Force reviewed current policies and procedures for categorizing and sharing SBU 
information to assess these processes against the imperatives identified by the President. 
The Task Force found that performance under these categories varied greatly. The factors 
influencing performance included the scope of subject matter and personnel covered; the 
intended purpose for control; the type of information protected; the process for 
developing policy and procedure; the clarity of policy and procedure; the availability of 
policy and procedure to persons handling subject information; the quality and frequency 
of employee training; and the existence of meaningful oversight. For some of these 
regimes, such as the widely utilized “Law Enforcement Sensitive” or “LES,” few of these 
factors are currently implemented. 

Regardless of any individual regime’s performance, it is clear that as a whole, Executive 
Branch performance under these measures suffers immensely from interagency 
inconsistency in SBU policies, frequent uncertainty in interagency settings as to exactly 
what policies apply, and inconsistent application of similar policies across agencies. 



6 As used here and throughout the remainder of this report and its recommendations, the terms “agency,” 
“Agency,” or “agencies,” shall be deemed to refer to all Executive Branch departments, agencies, offices, 
components, and entities. 

7 See Exec. Order No. 12,958, 60 Fed. Reg. 19,823 (Apr. 20, 1995), reprinted as amended by Exec. Order 
13292, 68 Fed. Reg. 15,315 (Mar. 28, 2003) (prescribing a uniform system for classifying, safeguarding, 
and declassifying national security information, including information relating to defense against 
transnational terrorism). 

8 See e.g ., Atomic Energy Act of 1954, §§ 4 & 142, 42 U.S.C. §§ 2014(y) & 2162 (2009) (automatically 
classifying as “Restricted Data” all data concerning (1) the design, manufacture, or utilization of atomic 
weapons; (2) the production of special nuclear material; or (3) the use of special nuclear material in the 
production of energy; and automatically classifying as “Formerly Restricted Data” all data the Nuclear 
Regulatory Commission and the Department of Defense jointly determine relates primarily to the military 
utilization of atomic weapons and can be adequately safeguarded as defense information). 
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Additionally, the absence of effective training, oversight, and accountability at many 
agencies results in a tendency to over-protect information as SBU, thus greatly diminishing 
government transparency. 

Clarity as to what policies apply, as well as access to those policies, is essential to ensuring 
that a recipient properly handles SBU. Across the Executive Branch, the same type of 
information may be governed by entirely different, and often unclear, requirements. As a 
result, even where two agencies use the same marking, such as For Official Use Only 
(“FOUO”), and separately provide similar information to a recipient, that recipient must 
distinguish between the FOUO policies of each providing agency. 

The Task Force recognized that sharing terrorism-related and other intelligence and law 
enforcement information with local law enforcement is critical to our national and 
homeland security . 9 Current SBU policies are generally ill-suited to this purpose. One 
example is when a State, local, or tribal official properly receives information from the 
federal government marked as ‘‘sensitive,” but does not receive any indication of the 
applicable safeguarding or dissemination policies. This situation can often result in the 
official’s reluctance to further share the information with other local law enforcement or 
first responders who may also have a need for it. 

Another challenge presented by inconsistent, agency-specific SBU regimes is the incidental, 
yet often unintended effect some markings have on the processing of requests for public 
release of information under the Freedom of Information Act (“FOIA”). While a number 
of SBU regimes are based upon, or at least recognize, a specific statute or other legal 
authority for properly withholding information from public release under FOIA, many do 
not. Regardless, the markings are sometimes misunderstood as providing an independent 
basis for withholding documents from the public, Congress, or the courts, which in turn 
can undermine transparency, as well as public trust in government. 

The lack of standardized Executive Branch procedures for governing SBU information is 
well-established , 10 the need for those standards well-documented , 11 and the interest of 
Congress to address the challenge, proven . 12 



9 Final Report of the National Commission on Terrorist Attacks Upon the United States, www.9- 
1 lcommission.gov. 

10 See e.g ., The Constitution Project, Reining in Excessive Secrecy: Recommendations for the Reform of the 

Classification and Controlled Unclassified Information Systems (2009) available at 
http://www.constitutionproject.org/manage/file/178.pdf; U.S. Gov't. Accountability Off., Information 
Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements , GAO-06-527T 
(Mar. 16, 2006); U.S. Gov't. Accountability Off., Information Sharing: The Federal Government Needs to 
Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified 
Information, GAO-06-385 (Mar. 17, 2006); U.S. Gov't. Accountability Off., Managing Sensitive 
Information: DOE and DOD Could Improve Their Policies and Oversight, GAO-06-53 IT (Mar. 14, 

2006); U.S. Gov't. Accountability Off., TSA: Clear Policies and Oversight Needed for Designation of 
Sensitive Security Information, GAO-05-677 (Jun. 29, 2005); U.S. Gen. Acct. Off., Selected Agencies' 
Handling of Personnel Information, GAO-02-1058 (Sep. 30, 2002); Cong. Res. Serv., 'Sensitive but 
Unclassified Information' and Other Controls Policy and Options for Scientific and Technical Information, 
CRS Rep. RL31845 (Feb. 15, 2006), as updated by CRS Rep. RL33303 (Dec. 29, 2006); Cong. Res. Serv., 
Secrecy vs. Openness: New Proposed Arrangements for Balancing Competing Needs, CRS Rep. 21895 
(Aug. 26, 2004), as updated (Oct. 12, 2004). 
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2.2 The 2008 CUI Framework 



Although the problems associated with SBU have existed for many decades, addressing 
them assumed greater urgency following the information sharing failures preceding the 
9/11 attacks. The 9/11 Commission reported that in the months leading up to the attacks: 

Information was not shared, sometimes inadvertently or because of legal 
misunderstandings. Analysis was not pooled .... Often the handoffs of 
information were lost across the divide separating the foreign and domestic 
agencies of government. 13 

In response to these challenges, in 2004, Congress passed and the President signed the 
Intelligence Reform and Terrorism Prevention Act, Pub. L. 108-458, which mandated the 
development of an Information Sharing Environment (“ISE”) to facilitate the sharing of 
terrorism-related information among federal, State, local, tribal, private sector, and foreign 
partner entities. On December 16, 2005, President Bush directed federal agencies to 
recommend procedures for standardizing the marking, handling, and safeguarding of SBU 
information. 14 The resulting recommendations 15 were largely reflected in the 2008 
Memorandum, which adopted CUI as the single Executive Branch designation for all SBU 
within the scope of the ISE, and established a corresponding new framework for 
designating, marking, safeguarding, and disseminating terrorism-related CUI, which 
became known as the CUI Framework. 16 

The 2008 Memorandum designated the National Archives and Records Administration 
(NARA) as the Executive Agent (EA) for the CUI Framework and directed that a CUI 
Council 17 perform an advisory and coordinating role for the development of policy 



11 Final Report of the National Commission on Terrorist Attacks Upon the United States, www.9- 
llcommission.gov, 416-419. 

12 See e.g ., the “Reducing Over-Classification Act of 2009,” H.R. 553, 111th Cong. (1st Sess. 2009) (as 
introduced by Rep. Harman, Jan. 15, 2009); the “Reducing Information Control Designations Act,” H.R. 
1323, 111th Cong. (1st Sess. 2009) (as introduced by Rep. Driehaus, Mar. 5, 2009); the “Implementing the 
Controlled Unclassified Information Framework Act of 2008,” S. 3662, 1 10th Cong. (2nd Sess. 2008) (as 
introduced by Sen. Lieberman, Oct. 1, 2008); the “Reducing Overclassification Act of 2008,” H.R. 4806, 
110th Cong. (2nd Sess. 2008) (as introduced by Rep. Harman, Dec. 18, 2007); the “Improving the Public 
Access to Documents Act of 2008,” H.R. 6193, 110th Cong. (2nd Sess. 2008) (as introduced by Rep. 
Harman, Jun. 5, 2008); and the “Reducing Information Control Designations Act,” H.R. 6576, 110th Cong. 
(2nd Sess. 2008) (as introduced by Rep. Waxman, Jul. 23, 2008). 

13 Final Report of the National Commission on Terrorist Attacks Upon the United States, www.9- 
llcommission.gov, 353. 

14 Memorandum for Heads of Executive Departments and Agencies on the Guidelines and Requirements in 
Support of the Information Sharing Environment, December 16, 2005. This Memorandum requires the 
development of recommendations, first, for homeland security information, law enforcement information, 
and terrorism information and then for all types of information not previously addressed. 

15 Presidential Guideline 3 Report, Standardized Procedures for Sensitive But Unclassified (SBU) 
Information, (Fall 2007). 

16 2008 Memorandum, at 4-6. 

17 The CUI Council was established by the National Archives and Records Administration (NARA) in 
accordance with the 2008 Memorandum, as a subcommittee of the Information Sharing Council (ISC) 
created by the Intelligence Reform and Terrorism prevention Act of 2004 (Public Law 108-458) (IRTPA). 
Guidance issued separately by the PM-ISE on July 9, 2008, directed each ISC agency to designate a 
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standards and implementation guidance for the CUI Framework. With a May 2013 
deadline for full implementation of the CUI Framework, the Archivist of the United States 
established the CUI Office, which hosted the first monthly meeting of the CUI Council in 
August 2008. 

In the ensuing 12 months, the EA, in consultation with the CUI Council, has conducted 
data calls and analyses, initiated the development of an implementation plan along with 
draft guidance in key policy areas, including: designation, marking, dissemination, 
safeguarding, dispute resolution, life cycle, oversight, and exceptions. As a result of these 
efforts, the emerging CUI Framework is intended to include: a standing Governance 
Structure under the current EA; two possible levels of safeguarding; 18 two possible levels of 
dissemination controls; 19 a procedure for designating specific dissemination requirements 
or limitations, when appropriate; three unique markings to reflect the three combinations 
of safeguarding and dissemination controls; 20 a publicly available, web based “Registry” of 
markings that apply to CUI information and certain associated policies; and standardized 
training requirements across the federal government. 

Although implementation of the CUI Framework will be required only within the 
Executive Branch, it is intentionally being developed to be as accessible as possible to non- 
federal information sharing partners, such as State, local, tribal, and foreign governments 
and the private sector. Thus, the promulgation and publication of standard rules across the 
Executive Branch should not only ease the handling of CUI by our non-federal partners, 
but it could also encourage the adoption of these rules and facilitate compliance with 
similar rules by partners outside the Executive Branch. Although adoption by non-federal 
partners may require modifications to accommodate applicable State, local and tribal law, 
in meeting with the Task Force, State, local and tribal representatives nonetheless expressed 
their desire to see the CUI Framework achieve the same broad acceptance and adaptation 
experienced by the Rules for Criminal Intelligence System Operating Policies promulgated 
by the Department of Justice. 21 



representative to the CUI Council. The CUI Council effectively represents the needs and equities of ISE 
participants, providing the EA with advice and recommendations on CUI policies. The membership of the 
CUI Council currently includes: Department of Commerce, Department of Defense (Office of the 
Secretary and Joint Staff), Office of the Director of National Intelligence (on behalf of the Intelligence 
Community), Department of Energy, Federal Bureau of Investigation, Department of Health and Human 
Services, Department of Homeland Security, Department of the Interior, Office of Management and 
Budget, Department of Justice, Program Manager for the Information Sharing Environment, Department of 
State, Department of Transportation, Department of The Treasury, Environmental Protection Agency, and 
the Nuclear Regulatory Commission. In addition, non-federal participation on the CUI Council includes 
two members from State, local, and/or tribal government, two members from the private sector, and 
consultation with the ISC’s State, Local, Tribal, and Private Sector Subcommittee, as appropriate. 

18 “Safeguarding” means measures and controls to protect CUI from unauthorized access resulting from 
theft, trespass, or carelessness. The current safeguarding levels are “Controlled” and “Controlled 
Enhanced.” 

19 Dissemination controls are instructions governing the extent to which dissemination is permitted or 
limited. The current dissemination controls are “Standard Dissemination” and “Specified Dissemination.” 

20 The markings include “CONTROLLED WITH STANDARD DISSEMINATION”, “CONTROLLED 
WITH SPECIFIED DISSEMINATION”, and “CONTROLLED ENHANCED WITH SPECIFIED 
DISSEMINATION.” At this time, there is no anticipated marking category that would couple “Controlled 
Enhanced” safeguards with “Standard Dissemination” controls. 

21 See “Criminal Intelligence Systems Operating Policies,” 28 C.F.R. pt. 23 (2009). 28 C.F.R. part 23 is a 
guideline for federal, State, and local law enforcement agencies to follow in implementing standards for 
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Part 3. Recommendations 



3.1 Expanding the Scope of the Current CUI Framework 

The CUI Task Force was specifically directed to consider whether the scope of the CUI 
Framework should remain limited to terrorism-related information within the ISE, or, be 
expanded to apply to all SBU information, and by extension, apply beyond the realm of 
the ISE. 

Eleven of the 12 Task Force members concurred in the recommendation to expand the 
scope of the CUI Framework beyond the ISE and to all SBU information. 22 Even prior to 
the establishment of the Task Force, DHS and DOD, as well as the FBI and ODNI (on behalf 
of the National Intelligence Community) had already committed to extending the current 
CUI Framework to all SBU within their control. It was the consensus of the 1 1 concurring 
agencies that maintaining multiple regimes for managing SBU information would be 
inconsistent with the goals of the Task Force, and that expanding the scope of the current 
CUI Framework would provide for specificity and consistency in the marking and 
identification of various types of sensitive information. 

A number of Task Force members also endorsed expanding the scope of the current CUI 
Framework as a means of providing greater clarity in implementation. For example, 
although the 2008 Memorandum’s definition of “CUI” is not limited to terrorism-related 
information, the scope of the CUI Framework it established is limited to terrorism-related 
information. Maintaining this discrepancy would force agencies to perform the often 
difficult task of segregating terrorism-related from non-terrorism-related information, a 
distinction that is not always clear or static. 

The Task Force believes the first step in improving the CUI Framework is to simplify the 
definition of CUI. CUI should be defined as “All unclassified information for which, pursuant to 
statute, regulation, or departmental or agency policy, there is a compelling requirement for safeguarding and/or 
dissemination controls.” Next, the scope of the CUI Framework should be expanded to include 
all information falling within the definition of CUI in the possession or under the control 
of the Executive Branch. As directed in the 2008 Memorandum, CUI should be used in 



operating federally grant- funded multi-jurisdictional criminal intelligence systems. It was written to both 
protect the privacy rights of individuals and to encourage and expedite the exchange of criminal 
intelligence information between and among law enforcement agencies of different jurisdictions. It 
provides specific guidance in five primary areas: submission and entry of criminal intelligence information, 
security, inquiry, dissemination, and the review-and-purge process. Only information technology systems 
operating under or funded through the Omnibus Crime Control and Safe Streets Act of 1968, 42 U.S.C. § 
3711, et seq., as amended, must comply with the 28 C.F.R. part 23; however, the underlying “framework” 
has been widely applied to other activities involving the collection, maintenance, and dissemination of 
criminal intelligence information. 

22 The Department of State opposes scope expansion out of concern that it would dilute the terrorism- 
related focus of the Framework envisioned in the 2008 Memorandum and the ability to use the CUI 
marking as a means of identifying solely terrorism-related information. 
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place of SBU as the single categorical designation for all information falling within the 
scope of the definition of CUI. 

In sum, a strong majority of the Task Force believes that limiting the scope of the CUI 
Framework to terrorism-related information within the ISE: (1) risks overlooking 
information with a terrorism nexus that may not be apparent until some later time; 

(2) fails to address the inefficiencies and confusion in continuing to maintain over 100 
discrete SBU markings across the federal government; (3) could result in unintended 
inefficiencies, such as where agencies that handle sensitive terrorism-related and non- 
terrorism-related information would have to maintain at least two separate systems for 
handling SBU; and (4) creates confusion as to the true scope of CUI. 

Expanding the scope of the CUI Framework is not intended to provide agencies with 
unfettered access to all the sensitive unclassified information within the Executive Branch; 
rather, it is meant to facilitate appropriate sharing of sensitive unclassified information. It 
would also promote increased accountability in how information is shared by allowing 
agencies and the public to know what kind of information is maintained by federal 
agencies. 

Moreover, because of its uniformity, standardized training requirements, and the public 
availability of the registry, the expanded scope of the CUI Framework can be expected to 
significantly increase the openness and transparency of government by improving the 
efficiency of information sharing, where otherwise authorized, between and among 
federal, State, local, tribal, private sector, and foreign partners. By eliminating the overuse 
of SBU designations, an expanded CUI Framework would enhance the protection of 
personal privacy and civil liberties, while continuing to protect sensitive information as 
appropriate. 

The Task Force believes that the efforts of the EA and the CUI Council are enhanced when 
taking into consideration the perspectives of a wide range of information-sharing partners 
and incorporating those perspectives into policy development efforts. The EA could 
achieve this by periodically inviting public interest or private sector entities to attend 
meetings for the purpose of providing their insights, experiences, observations or opinions 
on relevant matters. 

The Task Forces believes that expansion of the CUI Framework necessitates an expansion of 
the CUI Council membership, which, under the 2008 Memorandum, was limited to 
members of the Information Sharing Council, 23 as well as to its roles and functions. 
Composition of the CUI Council should be adjusted to reflect the scope of CUI under an 
expanded CUI Framework. To accommodate that expanded scope while optimizing 
effective representation, the Task Force believes the core composition of the Council 
should primarily include “capstone” agencies. For example, ODNI would represent all 
intelligence community agencies; DOD would represent each of the military services and 
all other DOD elements; DHS would represent all of the component agencies of DHS; DOJ 
would represent its subordinate agencies, etc. The expanded CUI Council should be 
recognized as a consensus body for developing CUI policy and should retain the 



23 The Information Sharing Council has been merged into the Information Sharing and Access Interagency 
Policy Committee. 
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responsibilities and authorities identified in the 2008 Memorandum, including resolving 
disputes among agencies concerning the proper designation or marking of CUI. In 
addition, the Task Force believes that the CUI Council should be empowered to hear 
appeals from agency dispute/challenge mechanisms. 

The majority of developments in post 9/11 information sharing have impacted terrorism- 
related information within the context of the ISE. Agencies outside of the ISE have 
generally had only limited exposure to the CUI Framework directed by the 2008 
Memorandum. Task Force outreach to those agencies identified the steeper learning curve 
many of them would face in implementing the CUI Framework as compared to their peers 
within the ISE. To begin to understand non-ISE agency requirements, the Task Force 
believes that the EA should reach out to these agencies and inform them of efforts to 
implement the Framework in light of the 2008 Memorandum and the recommendations 
contained herein. The EA should solicit from them any agency-specific needs or 
considerations relevant to their implementation of the CUI Framework. 



Recommendation #1 Simplify the Definition of CUI 



The definition of “Controlled Unclassified Information,” or CUI, should be simplified to: 
All unclassified information for which, pursuant to statute, regulation, or departmental or agency policy, there is a 
compelling requirement for safeguarding and/or dissemination controls. 



Recommendation #2 Expand the Scope of the CUI Framework 



The scope of the CUI Framework should be expanded to include all information falling 
within the definition of CUI in the possession or under the control of the Executive Branch 
of the Federal Government. 



Recommendation #3 Make the Expanded CUI Framework the Exclusive Means of 
Protecting SBU 



The expanded CUI Framework should be the single categorical designation used to 
identify, safeguard, and disseminate unclassified information for which, pursuant to 
statute, regulation, or departmental or agency policy, there is a compelling requirement 
for safeguarding and/or dissemination controls, except where a particular regime has been 
approved by the EA as a temporary exception to the CUI Framework. 



Recommendation #4 Adjust the CUI Council Membership and Roles to Reflect the 
Expanded Scope 



CUI Council membership should be adjusted to reflect the expanded scope of the CUI 
Framework, and membership reassessed to prioritize representation through “capstone” 
agencies. Additionally, the CUI Council should be empowered to address appeals of 
agency dispute/challenge mechanisms. 
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Recommendation #5 Moratorium on New SBU Regimes 



Consistent with the imperatives listed in the 2009 Memorandum, the President should 
impose a moratorium on efforts within the Executive Branch to define or develop new SBU 
categories outside of the CUI Framework. 



Recommendation #6 Engagement of Non-ISE Agencies 



The EA should develop a 1 2 0-day outreach plan to engage all non-ISE agencies in CUI 
Framework efforts and the EA should solicit from them any agency-specific needs or 
considerations relevant to their implementation of the CUI Framework. 



Recommendation #7 Phase Implementation of Scope Expansion 



Implementation of the CUI Framework should begin with all ISE agencies, and consistent 
with the 2008 Memorandum, they should complete implementation by May 2013. All 
other agencies (other than the excepted regimes) should complete implementation by May 
2015. The excepted regimes should complete implementation by May 2016. If the 
excepted regimes believe that implementation by May 2016 would cause serious and 
demonstrable harm, they may petition the EA, upon identification of their specific 
concerns and proposals for their remediation, for an extension of time to ensure that 
exception implementation does not negatively impact those regimes. 

3.2 Measures to Enhance the Current CUI Framework 

The discussions and recommendations which follow are intended to improve the current 
CUI Framework, as established in the 2008 Memorandum. 

1. Designation and Identification 

Since issuance of the 2008 Memorandum, the EA, in coordination with the CUI Council, 
has worked to define the concepts of “Designation” and “Identification.” Designation is 
currently defined as the determination that a general category of information (e.g. 
personally identifiable information, law enforcement information, etc.) may be protected 
as CUI and, if so, the level of protection required and dissemination authorized. It is each 
agency’s responsibility to evaluate its data holdings to determine what information should 
be designated as CUI. It is foreseeable, based on the revised definition and scope of CUI 
recommended herein, that some information currently treated as “sensitive” may be found 
not to warrant CUI designation. Designation may be initiated by the President, statute, 
regulation, agency head, or appropriately designated senior agency official. Identification is 
currently defined as recognition by an authorized individual that specific information fits 
within a general category of information which has been previously designated as CUI. 

A key goal of the expanded CUI Framework is reducing the number of existing SBU 
regimes into the minimum appropriate number of CUI designations. The EA, in 
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coordination with the CUI Council, has already begun the process for designating various 
general categories of information common to most agencies, including: 

• Acquisition-Related Information 

• Law Enforcement 

• Export Controlled 

• Business Proprietary 

• Intellectual Property Controls 

• Privacy Protected Information 

• Restrictions on Non-U. S. Citizens 

• Legal Privileges and Restrictions 

• Security Information 

Accommodation and Flexibility 

In exercising their respective responsibilities, the EA and CUI Council should fully consider 
the mission and requirements of the agency recommending a designation and make all 
appropriate efforts to accommodate those requirements in the harmonization effort. 
Similarly, senior officials of agencies recommending designations should be flexible in 
working with the EA to ensure that harmonization of their designation recommendations 
with the CUI Framework is achieved. 



Recommendation #8 Designation of CUI 



CUI designation by the EA should reflect the following four-step process: 

Step 1 : The agency head, or other appropriately designated senior-level official, 
determines that there exists a compelling requirement to protect a category of 
information that the agency routinely handles, and which has not already been 
designated by the EA. 

Step 2: The official submits a designation recommendation, along with supporting 
and accompanying materials (e.g., statute, regulation, or policy), to the EA for 
review and consideration. 

Step 3: In consultation with the CUI Council, the EA reviews the designation 
recommendation for the purpose of ensuring that: 

a. the description of, authority and justification for, and requested 
standards for safeguarding and dissemination are clearly 
articulated; 

b. the requested designation is consistent with standards applicable 
to any similar types of information and harmonized, as 
appropriate, with those designations; and 
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c. the submitting agency is aware of and understands any concern 

of the EA, or of any other agency, that a prospective designation 
does not warrant the protection levels selected and/ or the 
ensuing loss of government transparency accompanying 
designation. 

Step 4: Upon approval by the EA, designations and supporting information are 
published, as appropriate, to a public CUI Registry, from which the public and 
official users of CUI markings may identify the categories of information 
designated as CUI. To the extent that any of the information supporting a particular 
designation is, itself, CUI, it will be maintained separately from the public registry 
by the EA. 



Recommendation #9 Identification of CUI 



Each agency should establish standards for personnel possessing the authority and/ or 
necessary qualifications for identifying information as CUI. At a minimum, all individuals 
authorized to identify CUI should meet standardized CUI training requirements, as 
implemented within that agency. 



Recommendation #10 Agency CUI Programs 



Each agency should establish a program to manage its CUI. The program should include, 
at a minimum, Senior Officials responsible on behalf of the agency head for 
recommending CUI Designations, providing training, CUI management, and oversight of 
agency CUI activities. 

2. Marking 

Standardization of Markings 

Standardization is one of the goals of CUI implementation. The EA should provide the 
standardized markings and marking requirements with which agencies will comply. The 
decision regarding how to apply the standardized CUI markings to the various forms of 
CUI should be left to agency discretion. CUI intended for dissemination must be marked, 
but agency mission, intended data usage, access policies, established information exchange 
processes, and means or purposes for disseminating should all inform the agency decision 
regarding the most appropriate means of marking. 

EA approved standardized markings should identify CUI designation, safeguarding and 
dissemination controls; originating agency; and life cycle, and should be the only markings 
used to convey this information. The Task Force reviewed the many variations of 
markings and marking schemes employed in the legacy SBU regimes and concluded that 
no marking scheme in current use can accommodate all requirements of the expanded 
scope. For example, some agencies - particularly those outside of the ISE - routinely 
process and transfer bulk form SBU (e.g., privacy, health, income, etc.) with other 
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agencies, but for a very limited purpose, to a known and limited audience, and under clear 
processes. In such circumstances, it is possible that simply using a “system-high’' 24 
marking may be adequate. Alternatively, in the case of finished intelligence products 
intended for dissemination to our State, local, and tribal partners, it may be irresponsible 
not to clearly identify the intelligence report as CUI, and to include any warranted portion 
marking. The Task Force recognized the value of some level of portion marking for specific 
formats of CUI in information sharing efforts to enable the ready identification of the CUI 
elements within appropriately marked documents. 

The Task Force believes that agencies should consider the full range of marking options — 
including, as appropriate, system-high, database, application, document, portion, 
paragraph, and data element identification 25 - as required by mission and information 
protection and sharing requirements. When shared, all information should be marked 
consistent with EA issued standards. 

Given the likelihood that mission requirements may necessitate occasional deviations from 
the standards, the EA should be authorized to waive or modify these standards in such 
circumstances. 

Simplification of Markings 

The Task Force believes that the CUI Framework, not only across federal agencies, but in 
the potential for its adoption by State, local, tribal, private sector, and foreign partners, 
requires the use of terminology which is clear, simple and intuitive. It is likely that while 
the 2008 Memorandum’s categorizing scheme is appropriate, its supporting marking 
nomenclature (“CONTROLLED WITH STANDARD DISSEMINATION,” “CONTROLLED 
WITH SPECIFIED DISSEMINATION,” and “CONTROLLED ENHANCED WITH SPECIFIED 
DISSEMINATION”) can be improved. The Task Force encourages the EA to utilize input 
from a variety of CUI user focus groups, to try out variations of markings or labels and 
facilitate development of standard markings. The Task Force believes CUI markings should 
use plain language, and while abbreviations are appropriate, codes should be discouraged. 

Public Registry 

The Task Force views the public registry as an important source of government 
transparency and public insight into CUI designations. While the CUI registry would 
contain a full description of the requirements for safeguarding and disseminating CUI, the 
Task Force nonetheless believes it preferable that a given CUI document (such as an 
intelligence report) itself, to the extent possible, contain any safeguarding and 
dissemination information necessary to its proper handling. 



24 System High is a means of marking an entire system at the level of the most restricted CUI within the 
system. 

25 Database marking would identify the most restricted CUI at the database level. Application marking 
would identify the most restricted CUI at the application level. Document marking would identify the most 
restricted CUI within a document. Paragraph or portion marking would identify each paragraph or portion 
containing CUI at the most restricted level found in that paragraph or portion. Data element identification 
includes the marking only of those discrete data elements or segments of information that are deemed CUI. 
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Distinguish from FOIA 



Finally, the Task Force believes it is critical to recognize that the CUI Framework does not 
alter the requirements of FOIA, and that CUI implementation guidance and training make 
clear that the presence or absence of a CUI marking has no bearing on whether a record is 
releasable or exempt from release under FOIA. 



Recommendation #11 Simplification of Categories and Markings 



The 2008 Memorandum marking nomenclature should be replaced with succinct, 
informative overall markings, such as: 

• CONTROLLED-ENHANCED • CONTROLLED-HIGH 

• CONTROLLED-SPECIFIED or • CONTROLLED-MEDIUM 

• CONTROLLED-STANDARD • CONTROLLED-LOW 



Recommendation #12 EA to Establish Standard Markings and Guidance 



The EA should establish standardized CUI markings that identify CUI designation, 
safeguarding and dissemination controls; originating agency; and life cycle. The EA should 
publish the standardized markings and marking guidance to the agencies. Upon agency 
request, the EA may grant specific waivers or modifications to these standards, and the EA 
should work with agencies to ensure compliance with both the Framework and agency 
requirements. 



Recommendation #13 Flexible Marking of CUI 



CUI intended for dissemination must be marked in accordance with the standardized 
markings established by the EA. Agency decisions regarding how and when to apply 
standardized CUI markings should consider the full range of marking options and be 
driven by agency mission, the medium in which the CUI resides or is conveyed, and 
information protection and sharing requirements. 



Recommendation #14 Clarify that CUI Has No Bearing on FOIA 



CUI implementation guidance and CUI training should make clear that the CUI Framework 
and FOIA are entirely separate and that CUI markings have no bearing on whether records 
are exempt from release under FOIA. 
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3. Safeguarding 



“Safeguarding” refers to physical or electronic measures that ensure CUI is not accessed 
inadvertently or improperly. The two levels of safeguarding established in the 2008 
Memorandum, “standard” 26 and “enhanced”, 27 are believed adequate for the expanded 
scope of the CUI Framework proposed herein. The Task Force is concerned, however, that 
incorporating existing federal IT standards directly into the CUI Framework could pose a 
significant impediment to CUI implementation, as application and adherence have been 
inconsistent to date. The reasons for the inconsistency include cost, complexity, and some 
contradiction between overlapping rules. 

Mindful of the fact that agencies are obligated to comply with federal IT standards 
independent of those standards’ inclusion in the CUI Framework, the Task Force has 
concluded that the EA, in consultation with the Federal Chief Information Officer (CIO) 
Council, should develop IT safeguarding standards for the CUI Framework in a phased 
manner. 

The Task Force endorses the position of OMB that phased development of IT standards for 
the CUI Framework is neither authority for nor endorsement of non-compliance by 
agencies with federal IT standards. The Task Force believes that Federal CIOs, through the 
Federal CIO Council, could provide relevant, practical, and objective advice and 
perspectives given their current responsibilities across government for balancing security 
requirements with IT planning and implementation. Assistance in aligning metadata 
tagging and digital identity management with the CUI Framework to manage access to CUI 
is one goal for such advice. 

An additional safeguarding challenge arises when sensitive federal government information 
is shared with State, local, tribal, private sector, and foreign partners. As non-federal 
partners, these entities are neither required by law to comply with the same physical or IT 
safeguarding standards as the federal Executive Branch, nor are they necessarily funded to 
do so. Nonetheless, the Task Force believes that non-federal entities that receive CUI from 
the federal government should be encouraged to provide safeguarding protection 
consistent with the CUI Framework to the maximum extent possible. 

Recognizing the need to achieve the parallel goals of information protection and 
information sharing with these partners, the Task Force concluded that the CUI Framework 
would likely benefit from the establishment of standardized arrangements to address 
formal, recurring, and institutionalized information sharing settings as well as informal, 
irregular, or field conditions. Such means must be based on risk management as informed 
by operational requirements. 



26 “‘Standard Safeguarding’ is a handling instruction that means the information so designated is subject to 
baseline safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure.” 2008 
Memorandum, at 3. 

27 “‘Enhanced Safeguarding’ is a handling requirement that means the information so designated is subject 
to measures more stringent than those normally required because inadvertent or unauthorized disclosure 
would create a risk of substantial harm.” 2008 Memorandum, at 2. 
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There are useful precedents for formal information sharing arrangements between the 
federal government and non-federal partners. Despite certain obvious distinctions between 
them and the CUI Framework, the Task Force was impressed by the procedures 
implemented by the Chemical-Terrorism Vulnerability Information (“CVI ”) 28 and 
Protected Critical Infrastructure Information (“PCII ”) 29 programs. Both of those programs 
have well developed guidelines, tailored to mission needs, providing safeguarding 
standards which can be achieved with reasonable and appropriate efforts by the non- 
federal partners. The PCII program also contains an “Accreditation” process. The Task 
Force encourages the EA and CUI Council to review those procedures for any appropriate 
measures which may benefit the CUI Framework, taking proper account of situations in 
which non-federal partners may have severe resource constraints. 

Information sharing which is informal, irregular, or which occurs under field conditions 
presents its own set of safeguarding concerns, and in these circumstances, formal 
procedures, agreements, and compliance mechanisms may serve only to impede 
information sharing. The Task Force believes that in such circumstances, where 
information must be shared, but where there is no opportunity for formalizing 
procedures, federal employees and their non-federal partners should be enabled to identify 
“equivalent measures,” taking into account the sensitivity of the particular CUI and the 
risks thereto. In such circumstances, a federal employee’s training and understanding of 
the CUI Framework could be critical, both to ensure protection of the information, and to 
ensure that sharing is not impeded by “non-issues.” The Task Force would encourage 
agencies to develop pocket reference cards and short-form CUI Agreements for use by 
personnel in the field. 



Recommendation #15 Safeguarding 



The EA, in consultation with the CUI Council, should develop a means to address 
safeguarding in formal, recurring, and institutionalized information sharing settings, as 
well as in informal or irregular situations including field conditions. 



Recommendation #16 Consultation on Threat 



The EA, in consultation with the CUI Council, should consult with appropriate entities to 
determine the level at which certain unclassified information on federal government 
networks and systems is being targeted in order to best allocate resources to protect CUI. 



28 Procedures for the CVI program can be found in the CVI Manual, 
http : // www . dhs . go v/xlibrary/as sets/chemsec_c vi_proceduresmanual .pdf 

29 Procedures for the PCII program can be found in the April 2009 Protected Critical Infrastructure 
Information Program Procedures Manual, found at 

http ://w w w . dhs . go v/xlibrary/as sets/pcii_program_procedures_manual.pdf 
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Recommendation #17 CIO Council as Advisor on Information Standards and 
Safeguards 



The EA should utilize the Federal CIO Council for advice and consultation on: 

a. appropriate measures to support a phased approach to the application of 
information technology standards to the CUI Framework, 

b. a balanced set of technology requirements for safeguarding CUI which 
are consistent with federal guidance and achievable by our non-federal 
information sharing partners, and 

c. metadata standards to promote transparency, facilitate IT functions, and 
support digital privilege management. 

4. Dissemination 

The CUI Framework currently contains two dissemination controls - “Standard” and 
“Specified.” Standard dissemination control allows an authorized holder, based on his/her 
discretion, to provide the CUI to federal, State, local, tribal, private sector, and foreign 
partners — provided that the dissemination furthers an official mission purpose. Specified 
Dissemination rules are used when there are compelling requirements to limit the 
authorized holder’s discretion. Specified dissemination requires additional markings 
describing those limits. These restrictions, based on law, regulation, interagency or 
intergovernmental agreement, or agency policy, should define a specified dissemination 
instruction clearly articulating the discretion authorized the holder, as approved by the EA 
at designation. Where CUI is marked only to identify it as CUI, without specifying 
dissemination instructions, standard dissemination applies. Where specified dissemination 
rules do not lend themselves to effective summarization, they will be maintained by the EA 
and made easily accessible to handlers of that category of CUI. 

Congress and the Judiciary 

While the CUI Framework may well include a designation for materials covered by 
Executive Privilege, the Task Force recognized that Executive accountability requires that 
CUI markings do not themselves interfere with the checks and balances provided by the 
legislative and judicial branches. Official activities by those branches constitute “official 
use” as it does for other authorized recipients of CUI. While those branches often must 
honor the safeguard and dissemination controls required for CUI of any other recipient, 
marking as CUI is not itself a basis for withholding information from Congress or the 
Judiciary. 



Recommendation #18 Standardize Specified Dissemination 



Agencies should work with the EA and CUI Council to standardize specified dissemination 
instructions. In reviewing agency requests for specified dissemination instructions, the EA 
should seek to harmonize instructions and thereby limit the total number of CUI specified 
dissemination instructions to the greatest extent possible. 
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Recommendation #19 Dissemination to Congress and the Courts 



Implementation guidance for the CUI framework should clarify that a CUI marking is not a 
basis for withholding information from Congress or the Judiciary. 

5. Life Cycle 

Life Cycle refers to the time period during which information identified as CUI would 
receive the safeguarding and dissemination controls of the CUI Framework. Appropriate 
life cycles support government transparency and ensure that resources are focused on 
protecting information as warranted by the level and anticipated duration of sensitivity. 

The Task Force members agreed that given the volume of CUI material within the federal 
government, it is impracticable to implement a review process prior to decontrol. Hence, 
the intent is to have the life cycle established as part of the CUI designation, and be tied to 
either specific events or a specific timeframe. 

The broad range of material covered by the CUI Framework poses difficult life cycle 
challenges. The Task Force believes CUI should be decontrolled as soon as it no longer 
warrants the safeguarding or dissemination controls of the CUI Framework. While in 
some cases this time frame would be foreseeable and reasonably short, in other instances, 
such as situations in which the Privacy Act or the Health Insurance Portability and 
Accountability Act apply, the timelines for protection may span the life of the protected 
individual, or longer. 

Agency officials who recommend designation of CUI are in the best position to judge how 
long CUI protection should be required. The designation decisions should therefore 
address decontrol. Each CUI designation recommendation should specify either the passage 
of a certain period of time or an event certain (for example, the death of the individuals 
named, conclusion of prosecution and expiration of appeal rights, etc.) after which the 
document would be decontrolled and lose its status as CUI. 

The Task Force believes that no document should remain subject to CUI controls 
indefinitely, and identified the requirement for a default lifecycle for any situation where 
no other life cycle is identifiable. Recognizing that the selection of such a generally 
applicable time period is both necessary and somewhat arbitrary, the Task Force 
considered the recommendations of both The Constitution Project (2-10 years) 30 and 
OMB Watch (not more than 5 years). 31 The Task Force considered these 
recommendations in light of the anticipated breadth of CUI designations, the significant 
administrative burden resulting from an overly aggressive decontrol cycle, and the 
enhanced transparency afforded by separating CUI status from releasability decisions 
(described below) , and concluded that in circumstances where CUI lifecycle is otherwise 



30 The Constitution Project, Reining in Excessive Secrecy: Recommendations for the Reform of the 
Classification and Controlled Unclassified Information Systems (2009) at 9, available at 
http://www.constitutionproject.org/manage/file/178.pdf 

31 OMB Watch, Controlled Unclassified Information: Recommendations for Information Control Reform 
(2009) at 10, available at http://www.ombwatch.org/files/info/2009cuirpt.pdf 
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undetermined, decontrol should occur 1 0 years following CUI identification. Any CUI 
whose decontrol is other than 1 0 years after identification should be clearly marked with 
the date or event certain upon which decontrol would take place. 

The Task Force recognizes that decontrol of CUI is distinct from release of CUI, and that 
mandatory, pre-release review procedures, particularly when conducted following 
decontrol, facilitate coordination with the document’s originator and awareness of any 
enduring requirement for control. At no time, pre- or post-decontrol, is a CUI marking 
itself determinative of whether it may be released. Similarly, the CUI Framework should 
not impact destruction timelines established through statute, regulation, or records 
management policy. 



Recommendation #20 Clarify Decontrol 



“Decontrol” should be identified as the act of removing information previously designated 
as CUI from the CUI Framework, and it should be made clear that while public release of 
CUI should be preceded by the CUI’s decontrol, decontrol is not itself authorization for 
public release. 



Recommendation #21 Establish Life Cycle 



All CUI information should be decontrolled after ten years unless (a) the CUI designation 
establishes an alternative decontrol requirement by date or event, (b) the alternative 
decontrol appears in the controlled registry, or (c) the alternative decontrol is clearly 
identified on the CUI. 

6, Exceptions 

The 2008 Memorandum lists four critical infrastructure information regimes which are 
specific exceptions to the CUI Framework. If the scope of CUI is expanded, as per 
Recommendation # 2, additional temporary exceptions may be required. To limit 
exceptions to those truly required, the Task Force believes it important that the EA identify 
specific criteria for establishing exceptions. Possible factors could include that the 
potential exception contains a significant amount of information not originated by the 
federal government and provided to the government based upon negotiated criteria that do 
not conform to the CUI regime, or that the provision of the information to the 
government is highly dependent on the existence of a trusted regime for data protection. 

With respect to the four exceptions listed in the 2008 Memorandum, the relationship 
between the federal government and the private sector has been negotiated through public 
rule making. Each of these systems was negotiated and tailored to a particular community 
and type of information. There is significant interest in these communities that their 
incorporation into the Framework not negate the currently established trust. A proposal by 
the excepted regime program offices is to establish and implement the CUI Framework 
with the intention of bringing the “exceptions” into the CUI Framework once its reliability 
and trust are established. 
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The Task Force believes that the exceptions should be incorporated into the CUI 
Framework in a manner which, to the maximum extent possible, preserves the 
fundamental elements of the exceptions, and neither harms the trusted relationships nor 
forces the excepted regimes out of compliance with statutory requirements. As the 
excepted regimes approach incorporation into the CUI Framework, the Task Force believes 
the EA should work with the relevant agencies and program offices to amend regulations 
and, if necessary, with Congress to amend relevant statutes. Incorporating the exceptions 
into the Framework is not intended to negate established FOIA exemptions. 

Any new exceptions should be considered in light of the ability to render them compliant 
either with existing CUI standards for safeguarding and dissemination or standards for the 
classification of information for national security or other authorized purposes. 



Recommendation #22 Establish Exception Process 



In addition to the four existing exceptions within the Presidential guidance on CUI, a 
process should be developed by the EA, in coordination with the CUI Council, to develop a 
means of evaluating whether additional categories of information that are covered by the 
expanded scope of CUI should be treated as temporary exceptions. 



Recommendation #23 Delay in Incorporation of Exceptions into the CUI Framework 



The CUI Framework should be established, running, and proven, prior to incorporation of 
the exceptions into the Framework. 



Recommendation #24 Amending Regulations or Statutes 



The EA should work with the agencies and program offices administering excepted 
regimes to amend relevant regulations and, if necessary, with Congress to amend relevant 
statutes, as the excepted regimes are incorporated into the CUI Framework. 

7, Training 

Effective implementation of the CUI Framework requires changing the way unclassified 
information protection and sharing is commonly understood. A dedicated, centralized 
training program is critical to that effort. CUI training is required at various levels of 
instruction, based upon agency mission and employee duties and seniority. Baseline 
training should be established by the EA, and agencies should coordinate development of 
intermediate and advanced level training with the EA. Each agency should be encouraged 
to create training that is tailored to its particular needs and mission. This is especially true 
in the ISE agencies, where the tension between sharing and protecting critical information 
is greatest. Training in this area requires a strong emphasis on the exercise of individual 
judgment in ensuring that the CUI Framework does not have a chilling effect on 
information sharing. Additionally, the EA should provide training to the senior officials 
responsible for CUI designation and agency CUI program management. 
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Recommendation #25 Establish Training 



The EA should establish a baseline training program sufficient to educate federal employees 
on the key principles underlying the CUI Framework, including the importance of 
government transparency and public trust in government. Intermediate and advanced level 
training should be developed by agencies, in consultation with the EA, to address increased 
requirements for expertise and sophistication in managing CUI. Basic CUI training should 
be the minimum requirement for an employee to be authorized to identify or disseminate 
CUI. Additionally, to promote consistency across the Executive Branch the EA should 
provide training directly to the senior officials responsible for CUI designation and agency 
CUI program management. 



8, Incentives and Accountability 

The Task Force believes that getting CUI designation and identification decisions right the 
first time is as important as ensuring compliance with CUI safeguards and dissemination 
controls. Like recent efforts with regard to the ISE, compliance with CUI policies should 
be viewed as routine elements of job performance and considered in employee evaluation, 
promotion, or award decisions. Moreover, administrative or other appropriate sanctions 
should be available for repeated non-compliance with CUI policies, or with CUI safeguard 
or dissemination control requirements. 



Recommendation #26 Incentives 



Agencies should consider employee performance under the CUI Framework in evaluation, 
promotion, and award decisions. 



Recommendation #27 Accountability and Sanctions 



Agencies should be authorized to impose administrative sanctions for repeated non- 
compliance with CUI policies or with CUI safeguard or dissemination control 
requirements. 



9. Standardization, Oversight, and Dispute Resolution 

A simple , concise , and standardized CUI Framework, with effective centralized governance 
and oversight, has the best chance not only for the widest acceptance within the federal 
government, but for broad adaptation throughout our State, local, tribal, and private sector 
partner communities. 

The Task Force believes it is critical that the CUI Framework bring standardization to 
current SBU processes to reduce inconsistency and a tendency toward over-protection of 
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information. To accomplish this goal, the Task Force determined that the EA should be 
appropriately empowered to harmonize and standardize designations across agencies. 

The Task Force considers that oversight should begin within the agency, based on 
procedures to be set out by the agency head. Agencies should establish an effective 
internal oversight approach, either as part of or parallel with the CUI program. 

The EA should maintain oversight authority and the ability to perform on-site reviews of 
agency CUI programs to support the implementation of an effective Framework across 
government, and to require of each agency any reports, information, and other 
cooperation that may be necessary to fulfill its responsibilities. In addition, each agency 
and the EA should also establish a mechanism for addressing challenges to CUI designation 
and identification by authorized holders of the information. 

CUI dispute resolution requires a balanced approach. The goal is to empower the EA to 
implement and manage the CUI Framework while recognizing the authority of the 
agencies to execute their missions. CUI is likely to be fully embedded throughout mission 
execution, and agencies require a means of assuring that decisions within the CUI 
Framework do not improperly impact mission execution. 

The Task Force also recognizes the significant costs imposed on private entities doing 
business with the federal government in order to comply with multiple, inconsistent SBU 
regimes. The Task Force believes the obligation under federal contracts to handle CUI 
information should be clear, consistent, and reflected in a single Federal Acquisition 
Regulation (FAR) provision that addresses the handling of CUI across the federal 
government. The language of this provision should be mirrored in agency-level acquisition 
regulations and guidance. 



Recommendation #28 Internal Oversight 



Each agency should identify an internal oversight program to assure the effective 
implementation of the CUI Framework within the agency. 



Recommendation #29 Challenges to Designation and Identification 



Each agency head or senior official should establish a mechanism for addressing challenges 
to CUI designation and identification, to include appeals to the CUI Council. The EA 
should establish a mechanism by which the CUI Council would address appeals of agency 
challenges as well as other interagency disputes based upon CUI designation or 
identification. 
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Recommendation #30 Federal Acquisition Guidance 



The Federal Acquisition Regulations should be revised to reflect one provision or clause 
that addresses compliance with the CUI Framework by private entities seeking to do 
business with the federal government. This provision or clause should be mirrored in 
agency specific acquisition regulations or guidance. 



10. Implementation Timeline and Resources 

Full implementation of the CUI Framework requires significant resources, especially with 
respect to IT safeguards. Previously released safeguarding guidance required Federal IT 
systems to make use of encryption, two-factor authentication for remote access, and other 
secure system and data access procedures. Many agencies are still developing procedures 
to meet these requirements. Accelerating the implementation of the safeguarding 
requirements could impact resource constraints at certain agencies. 

Raising the level of IT safeguards, however, was not among the factors mandating the 
replacement of the existing 107 disparate SBU regimes, the development of the CUI 
Framework, or the expansion of the CUI Framework beyond its current scope. Those 
actions were mandated by the need to bring standardization, ease information sharing, and 
increase government transparency to the world of SBU information. If, in the alternative, 
implementation focuses on the core requirements of training, marking and oversight, 
while still requiring an extraordinary effort, the mandates of the CUI Framework can likely 
be achieved for a fraction of the cost anticipated by current planning. 

Therefore, to see more immediate improvements without requiring an inordinate and 
potentially impossible investment, the Task Force believes that implementation should 
begin with the foundational aspects of the CUI Framework - training, marking, and 
oversight, while the EA works to identify or develop appropriate IT safeguarding 
requirements and capabilities. Automated tools could greatly ease the burden of 
identifying and marking efforts by providing users with clear choices - such as are 
available through drop-down menus, as well as aiding oversight and CUI management 
efforts. 

Specifically, Federal agencies should prioritize: 

• Establishing agency CUI Programs. 

• Implementing an EA-provided training program on the fundamentals of CUI and 
the importance of maintaining public trust in government. 

• Adopting the CUI markings and dissemination controls, while phasing out the use 
of existing markings. 

• Deploying automated tools, such as the Intelligence Community’s Classification 
Management Tool, on unclassified networks to enable common and consistent 
markings. 

• Establishing oversight and reporting mechanisms. 
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The Task Force recognizes that should the recommendation to expand the scope of CUI be 
accepted, the EA would need to provide extraordinary support to non-ISE agencies to 
ensure effective implementation of the CUI Framework, and the EA’s staffing and resource 
requirements would have to be addressed. Likewise, even with a phased implementation 
as recommended herein, successfully implementing the CUI Framework without impeding 
existing operations and programs would require that the agencies receive clear budgetary 
guidelines from OMB, and that the necessary resources be made available. 

Transitioning to the new markings under CUI will largely be a matter of change 
management, in which agency leadership should be held accountable for implementing 
plans and policies to ensure the workforce transitions to CUI in a timely manner. 

Implementing compliance and reporting processes and procedures would facilitate a 
clearer understanding of how much information is being protected, and for what reasons. 
Further, if made available to the public, the results of these reporting and oversight 
requirements will further government transparency. 



Recommendation #31 Phase Implementation of Training, Marking, Oversight and 
Reporting 



CUI implementation should prioritize: 

• Establishing agency CUI Programs. 

• Implementing EA-provided baseline training program as well as agency developed 
intermediate and advanced level training, 

• Adopting the CUI markings and dissemination controls, while phasing out the use 
of existing markings. 

• Implementing automated tools on unclassified networks to enable common and 
consistent markings. 

• Establishing oversight and reporting mechanisms. 



Recommendation #32 Phase Implementation of Technical Safeguards 



Information Technology safeguards should be phased into the CUI Framework pursuant to 
timelines established by the EA when, in coordination with the CIO Council, the EA 
determines that technical safeguards will enhance, and not degrade, the effectiveness of the 
CUI Framework. 



Recommendation #33 Marking Initiation 



Marking in accordance with the CUI Framework should begin as directed by the EA. No 
CUI marking should be done prior thereto. Material previously developed and 
disseminated, printed, or otherwise memorialized should not be remarked. Information 
that continues to be disseminated should be remarked at agency discretion. 
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Recommendation #34 Ensure Adequate Resourcing of Executive Agent 



The extraordinary efforts required of the EA to develop and implement the expanded scope 
CUI Framework, as well as the criticality of EA effectiveness in those efforts to the success 
of the CUI Framework, should be recognized and appropriately resourced to include 
funding, permanent staff, and agency detailees. 



Recommendation #35 Synchronize CUI Implementation with Government Processes 
and Cycles 



CUI implementation should be incorporated into the appropriate policy, budgetary, and 
administrative cycles so that the implementation of the CUI Framework better aligns with 
current agency and Federal government business practices. 



Recommendation #36 Impact of CUI on the Federal Enterprise Architecture 



Members of the CUI Council should solicit feedback from their agency CIOs on how the 
CUI Framework can most effectively be incorporated into the Federal Enterprise 
Architecture (“FEA”), reflecting priorities which support business processes to enhance 
efficiency in implementation. This feedback should then be reviewed with OMB, and 
based on OMB feedback, the CUI Council - through agency CIOs and other appropriate 
policy officials - should work to develop specific input to the FEA within established 
guidance for review and possible incorporation into government- wide FEA guidance. 



Recommendation #37 Incorporate CUI into Federal Grant Guidance 



Federal grant guidelines for State, local and tribal government should be amended to 
facilitate federal grants utilization for implementation of the CUI Framework among our 
State, local and tribal information sharing partners, as appropriate. 



3.3 Measures to Track Progress in Implementation of CUI 

The 2009 Memorandum identifies three presumptive goals for implementation of the 
Framework: 

• standardization ; 

• information sharing; and 

• government transparency 

Implementation of CUI will require significant cultural changes, including a more 
proactive balancing of security and openness. Given that an overemphasis of either 
security or openness will jeopardize these goals, ongoing assessment should be a 
prominent part of the implementation process. 
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The Task Force identified three stages of CUI Framework implementation: 

• Planning — the Framework is developed, tested, and put in place, including EA 
and agency policies, the CUI Registry, and the CUI training program; 

• Transition — agencies modify existing practices to conform to the Framework; 
and 

• Sustainment — agencies consistently apply the Framework as standard practice 

The measures used to track progress will change based on the stage of implementation, but 
they will always support the overarching goals established by the 2009 Memorandum. In 
order to fully assess the Framework, the status quo must be understood and documented. 

It will be critical to perform baseline analysis and develop ongoing measurement programs 
that fully meet these complex goals. In addition, annual reporting will allow for 
independent public analysis as to the maintenance of the required balance, thereby 
improving accountability. The Task Force affirms the importance of measuring and 
tracking the implementation and effectiveness of the Framework. 



Recommendation #38 Annual Report of the Executive Agent 



The EA should publish an annual report to the President, that is also made available to the 
Congress and the public, that provides the status of CUI implementation to include 
performance measurement data developed pursuant to Recommendation #40, and other 
information as deemed appropriate by the EA in consultation with the CUI Council. 



Recommendation #39 Establish a Baseline Measurement of Current SBU Efforts 



Based on the system established above, the EA should immediately undertake to establish a 
baseline measurement of SBU activity to support future implementation and assessment 
efforts. 



Recommendation #40 Measure Implementation 



The EA, in coordination with OMB (including the Chief Performance Officer and the 
Resource Management Office) and appropriate expert support, should develop a system to 
measure the implementation of CUI that addresses the various phases of implementation 
and is effectively tied to the federal budget cycle. 
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Part 4. Conclusion 



Through its 90-day study, the CUI Task Force concluded that within the Executive Branch, 
information sharing and transparency suffer from inconsistency in SBU policies, 
uncertainty in interagency settings as to what policies apply to SBU information, and the 
inconsistent application of even similar policies across agencies. The general lack of 
effective, standardized training and oversight at many agencies results in a tendency to 
over-protect information. 

The Controlled Unclassified Information (CUI) Framework provided a good start toward 
addressing these deficiencies, but was intended to do so only with regard to terrorism- 
related information. The Task Force has concluded that a single, standardized framework 
for marking, safeguarding, and disseminating all Executive Branch SBU is required to 
further the goals of standardization, information sharing, and government transparency. 

The Task Force recommendations are intended to overlay, and in some cases modify, the 
CUI Framework established by the 2008 Memorandum. Building upon that Framework, 
the Task Force has proposed 40 Recommendations, including simplifying the definition of 
CUI; expanding the scope of the CUI Framework; clarifying that limits of CUI markings - 
such as with regard to releases under FOIA or to Congress; and phasing implementation of 
the expanded scope of CUI to ensure no disruption to agencies’ mission performance or 
the security of information. 
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APPENDIX 1 



Entities Consulted by the CUI Task Force 

Government Entities 

• Controlled Unclassified Information Council 

• Department of Energy, Office of Classification 

• Deputy to the Director of the Federal CIO Council 

o Privacy Committee of the Federal CIO Council 

• Legislative Staff Representing: 

o Senate Homeland Security and Governmental Affairs Committee 
o House Committee on Homeland Security 
o House Committee on Oversight and Government Reform 
o House Committee on the Judiciary 
o House Permanent Select Committee on Intelligence 

• Excepted Regime Program Offices 

• Concurrent Executive Order 12958 Review 

• Office of National Drug Control Policy 

• Non-ISE Agencies: 

o Department of Labor 
o Department of Agriculture 
o Department of Education 
o National Air and Space Administration 
o Consumer Product Safety Commission 
o Federal Energy Regulatory Commission 

• State, Local, and Tribal Government Partners 

o International Association of Chiefs of Police 
o Garden Grove, California Police Department 
o Minnehaha County, South Dakota Sheriffs Office 
o Florida Department of Law Enforcement 
o American Probation and Parole Association 

Non-Government Entities 

• Critical Infrastructure Partnership Advisory Council 

• National Industrial Security Program Policy Advisory Committee 

• Privacy and Open Government Advocacy Organizations 

o American Civil Liberties Union 
o The Constitution Project 
o Openthegovernment.org 
o Federation of American Scientists 
o National Security Archive 
o Public Citizen 
o OMB Watch 

o Electronic Frontier Foundation 
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APPENDIX 2 



SBU Markings Currently in Use 



1 . SENSITIVE 

2 . DO NOT DISSEMINATE 

3. SBU-NF 

4. SBU/ NOFORN 

5. UNLIMITED RIGHTS 

6 . GOVERNMENT PURPOSE RIGHTS 

7. LIMITED RIGHTS 

8. RESTRICTED RIGHTS 

9 . SPECIAL LICENSE RIGHTS 

1 0 . PRE-EXISTING MARKINGS 

1 1 . COMMERCIAL MARKINGS 

12. CLOSE HOLD 

13. RSEN 

1 4. PREDECISIONAL PRODUCT 

1 5 . SOURCE SELECTION SENSITIVE 

1 6 . DEA SENSITIVE (DEA S) 

17. SENSITIVE (SENS) 

18. COPYRIGHT (DATE) (OWNER) 

1 9 . DELIBERATE PROCESS PRIVILEGE 

20. RELIDO 

21. EYES ONLY 

2 2 . BANK SECRECY ACT INFORMATION 
(BSA) 

2 3 . ACQUISITION SENSITIVE 

24. ATTORNEY WORK PRODUCT 

25. LIMITED ACCESS 

2 6 . RESTRICTED ACCESS 
27. MEDICAL RECORDS 

2 8 . LAN INFRASTRUCTURE 
29. IT SECURITY RELATED 

3 0 . LAN BACKUP SENSITIVE 

INFORMATION 

3 1 . SOURCE SELECTION INFORMATION 

32. TRADE SECRET 

33. ATTORNEY CLIENT 

34. BUDGETARY INFORMATION 

35. PRE-DECISIONAL, 

3 6 . FOR INTERNAL USE ONLY 
3 7 . NOT FOR DISTRIBUTION SAFEGUARDS 
INFORMATION (SGI) 

3 8 . AGENCY INTERNAL USE ONLY 
(U//AIUO) 

3 9 . TRADE SENSITIVE INFORMATION 

40. SENSITIVE BUT UNCLASSIFIED (SBU) 

4 1 . HEALTH RELATED INFORMATION 
(EM) 

42. NO DISTRIBUTION (NODIS OR ND) 

43 . LAW ENFORCEMENT SENSITIVE (LES) 

44. EXCLUSIVE DISTRIBUTION (EXDIS OR 
XD) 



45 . FOR OFFICIAL USE ONLY (FOUO) 

46. SENSITIVE STUDENT RECORDS (STR) 

47. CONFIDENTIAL BUSINESS 
INFORMATION (CBI) 

48. LIMITED OFFICIAL USE (LOU) 

49. LIMITED DISTRIBUTION 

5 0 . LIMITED DISTRIBUTION (LIMDIS) 

5 1 . SENSITIVE INFORMATION (SINFO) 

5 2 . COVERED BY CONFIDENTIALITY 
AGREEMENT 

5 3 . ORIGINATOR CONTROLLED (ORCON) 
54. CONTRACTUAL SENSITIVE 
INFORMATION 

5 5 . ENFORCEMENT CONFIDENTIAL 
INFORMATION (ECI) 

5 6 . LIMITED OFFICIAL USE INFORMATION 
(LOUI) 

5 7 . SUBSTANCE ABUSE RECORDS (SAB) 

5 8 . SENSITIVE SECURITY INFORMATION 

(SSI) 

5 9 . TITLE III COMMUNICATIONS (T3) 

6 0 . FEDERAL TAXPAYER INFORMATION 
6 1 . TECHNOLOGY TRANSFER 

INFORMATION 

6 2 . BOMB TECH SENSITIVE (BTS) 

6 3 . CFIUS INFORMATION (CFIUS) 

64. RESTRICTED BY COURT ORDER (CO) 

65 . LIMITED USE ONLY (LUO) 

6 6 . PRIVACY ACT PROTECTED 

INFORMATION (PAPI) 

6 7 . PROPRIETARY INFORMATION 
(PROPIN) 

6 8 . CHILD VICTIM/ WITNESS (CH) 

69. FINANCIAL RECORDS (NON-NSL) (FR) 

7 0 . FINANCIAL RECORDS NSL (NSLF) 

7 1 . SOURCE SELECTION INFORMATION 
7 2 . LIMITED CREDIT INFORMATION NSL 
(NSLC) 

7 3 . SELECT AGENT SENSITIVE 
INFORMATION (SASI) 

74. CALEA COST RECOVERY 
INFORMATION (CALEA) 

7 5 . INNOCENT IMAGES VISUAL 
INFORMATION (IIVI) 

7 6 . SENSITIVE TREATY/MOU/NDA 
INFORMATION (STM) 

7 7 . PRIVILEGED FBI ATTORNEY CLIENT 
7 8 . OFFICIAL USE ONLY-SMALL BUSINESS 
7 9 . OFFICIAL USE ONLY-PROTECTED 

COOPERATIVE CENSUS CONFIDENTIAL 
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80. SBU-GSA-BI 

8 1 . OFFICIAL USE ONLY (OUO) 

8 2 . ATTORNEY/ CLIENT PRIVILEGED 
8 3 . GRAND JURY MATERIAL (FGJ) 

84. OFFICIAL USE ONLY-APPLIED 

TECHNOLOGY 

8 5 . DOD UNCLASSIFIED CONTROLLED 

NUCLEAR INFORMATION (DOD UCNI) 
8 6 . OFFICIAL USE ONLY-PATENT 
CAUTION INFORMATION 
8 7 . CONFIDENTIAL CONTRACT PROPOSAL 
INFORMATION (CCPI) 

8 8 . CONTROLLED NUCLEAR 

INFORMATION (U//DCNI OR 
U//ECNI) 

8 9 . CHEMICAL-TERRORISM 

VULNERABILITY INFORMATION (CVI) 

9 0 . NAVAL NUCLEAR PROPULSION 

INFORMATION (U-NNPI) 

9 1 . OFFICIAL USE ONLY-EXPORT 
CONTROLLED INFORMATION 
9 2 . NAVAL NUCLEAR PROPULSION 
INFORMATION (NOFORN) 

9 3 . SENSITIVE UNCLASSIFIED NON- 
SAFEGUARDS INFORMATION (SUNSI) 

94. PROTECTED CRITICAL 
INFRASTRUCTURE INFORMATION 
(PCII) 

95 . OFFICIAL USE ONLY - SENSITIVE 
INTERNAL INFORMATION 

9 6 . TELEPHONE OR ELECTRONIC 

COMMUNICATIONS NSL (NSLT) 

9 7 . JUVENILE - PROTECT IDENTITY IN 

ACCORDANCE WITH 18 USC 5031 (JI) 
9 8 . SENSITIVE INFORMATION- SPECIAL 
HANDLING REQUIRED 
9 9 . SENSITIVE WATER VULNERABILITY 
ASSESSMENT INFORMATION 



100. LIMITED OFFICIAL USE-LAW 
ENFORCEMENT SENSITIVE (LOU-LES) 

101. EXPORT CONTROLLED INFORMATION 
(OR MATERIAL) (ECI) 

102. SENSITIVE HOMELAND SECURITY 
INFORMATION (SHSI) 

103. OPERATIONS SECURITY PROTECTED 
INFORMATION (OSPI) 

1 04. DISSEMINATION IS PROHIBITED 
EXCEPT AS AUTHORIZED BY AR 20-1 

105. COMMUNICATION/ ATTORNEY 
WORK PRODUCT (PRV) 

106. RESEARCH AND DEVELOPMENT 
AGREEMENT INFORMATION 

107. INNOVATION RESEARCH 
INFORMATION AND SMALL BUSINESS 

108. CONFIDENTIAL INFORMATION 
PROTECTION AND STATISTICAL 
EFFICIENCY ACT OF 2002 (CIPSEA) 

109. WITNESS SECURITY PROGRAM - 
PROTECT IDENTITY IN ACCORDANCE 
WITH 18 USC 3521 (WS) 

110. SENSITIVE DRINKING WATER RELATED 
INFORMATION (SDWRI) 

111. CONTRACTOR ACCESS RESTRICTED 
INFORMATION (CARI) 

112. COMPUTER SECURITY ACT SENSITIVE 
INFORMATION (CSASI) 

113. SMALL BUSINESS INNOVATION 
RESEARCH (SBIR) PROGRAM 

114. PERSONALLY IDENTIFIABLE 
INFORMATION - PRIVACY ACT OF 
1974 

115. PERSONNEL DATA, PRIVACY ACT OF 
1974 (5 U.S.C. 552A) 

116. FOR OFFICIAL USE ONLY- LAW 
ENFORCEMENT SENSITIVE (FOUO-LES) 

117. FOREIGN INTELLIGENCE 
SURVEILLANCE ACT (FISA) 
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APPENDIX 3 



Acronyms used in this report 



CIO 

CUI 

CVI 

DHS 

DOD 

DOI 

DOJ 

EA 

FAR 

FBI 

FEA 

FOIA 

FOUO 

HHS 

HIPAA 

ISE 

IT 

LES 

NARA 

ODNI 

OMB 

PCII 

PM-ISE 

SBU 

SGI 

SSI 

USDA 



Chief Information Officer 

Controlled Unclassified Information 

Chemical-Terrorism Vulnerability Information 

Department of Homeland Security 

Department of Defense 

Department of Interior 

Department of Justice 

Executive Agent 

Federal Acquisition Regulation 

Federal Bureau of Investigation 

Federal Enterprise Architecture 

Freedom of Information Act 

For Official Use Only (FOUO) 

Department of Health and Human Service 

Health Insurance Portability and Accountability Act 

Information Sharing Environment 

Information Technology 

Law Enforcement Sensitive 

National Archives and Records Administration 

Office of the Director of National Intelligence 

Office of Management and Budget 

Protected Critical Infrastructure Information 

Program Manager, Information Sharing Environment 

Sensitive But Unclassified 

Safeguards Information 

Sensitive Security Information 

Department of Agriculture 
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